During the now two-year pandemic, the digital world has seen a noticeable increase in online activity, more specifically mobile activity. The need to not rely on physical banks or handle physical money has fueled the surge in mobile money transactions. In fact, according to the GSMA, 1.21 billion mobile money accounts were registered in 2020 marking a 12.7% growth, in 96 countries. The GSMA also states that the transaction values increasingly grew as well, with daily transactions exceeding $2 billion and transactions expected to surpass $3 billion per day by the end of 2022.  

This year also marked a spike in investments in the digital payments space, starting with fintechs and mobile money services. As mobile phone users are expected to reach half of the African continent’s population by 2025 according to the GSMA, internet penetration increases, and overall greater adoption of digital financial services, investors are betting all on mobile financial services. Just last month, Airtel Africa’s mobile money service received a $50 million investment by Chimera investments, backed by a previous $25 million investment by Mastercard. Mobile money is a particularly versatile payment tool that is used for a variety of different purposes, particularly in countries in Sub-Saharan Africa and South Asia. Mobile money is used to receive a monthly salary, pay bills, lend money, and make purchases online or in physical stores.

The attention mobile money has received by investors foreshadows the tremendous potential of mobile money this year. Mobile operators looking to pave the smoothest way for this explosive growth must first address the organizational body of their mobile money services. 

More independent mobile money services entities for robust growth in 2022 

Regulators of mobile operators have a well-defined set of regulations they must follow that specifically pertain to the telecommunication services they offer. As we have seen, mobile operators have been developing their financial potential and deploying mobile money services that have gained paramount daily transaction value. In most cases, MNOs have to comply with both the telco regulations and stricter mobile money regulations. This is extremely costly and complicated for mobile operators who must enforce a myriad of regulations. 

What we have seen in recent years, and what we will continue to see in 2022, is mobile operators creating a separate mobile money entity to be able to grow their business with greater ease and flexibility, following only specific mobile money regulations. Major mobile operators such as Orange and Airtel have initiated this organizational reconstruction, respectively with Orange Money and Airtel Money. Thanks to this set up mobile operators will be able to make their mobile money services a separate, independent company with the freedom to grow and become what it strives to be: a fintech. 

Fintechs in Africa have raised nearly $5 billion in 2021, and as sole mobile money providers, the companies will attract even more investments. Investors will be lured by the youngness of the business, where there is sill be room to grow and to decide what direction the child company can take. 

The freedom will also lie in the tools that mobile money providers can choose. The giant mobile operators already have dedicated tools and integrated processes for each specific activity, even when it comes to dealing with fraud. As a separate entity, the company can decide to choose the right anti-fraud tools, which are specific to a fintech company and the specific fraud-related challenges it faces. Mobile money can’t be treated like telecommunications, neither with the same regulations nor with the same anti-fraud solutions. Mobile money has its own specific needs, and with it, its own specific solutions. At Evina, we’ve developed a whole range of anti-fraud solutions that sustain mobile operators, to not only detect fraud but to do so while growing the business revenue. For mobile money, we have designed Mobile Money protect, a cutting-edge anti-fraud solution that tackles fraud attempts on mobile money services. 

Along with the creation of the separate mobile money entity,  there is a critical need to convince regulators to create enabling regulations for these entities to grow. 

Strengthened trust vis-à-vis the regulator and anti-fraud measures  

With the growing value of daily mobile money transactions, central banks and major regulators are seeking to regulate the large flow of money and protect the interests of all stakeholders. When fraud comes into play, regulators will automatically impose stricter rules that will limit the growth of mobile operators because they cannot be trusted to regulate themselves. It’s why it is in the interest of mobile operators to keep fraud at bay and have the right tools to manage these attacks. Major operators such as Airtel have already raised concerns regarding fraud on mobile money « What keeps me up at night frankly is the risks that are emerging through cyber [crime] » CEO of Airtel mobile commerce BV.

We have seen this phenomenon in plenty of markets: when responsible players implement Evina state-of-the-art anti-fraud solutions, entire markets have reaped the benefits, and payment methods such as direct carrier billing have been restored thanks to this renewed trust. Mobile Money Protect, Evina’s anti-fraud solution for mobile money payments, was designed to fend off fraud attacks on mobile money and help mobile operators reach new opportunities. 

This new year will be vital for mobile operators to explore where fraud-free mobile money will take them, as independent entities and in an environment that fosters growth with empowering regulators. 

Sources:

• https://techcrunch.com/2022/01/04/fintechs-in-africa-continue-to-overshadow-all-other-startups-in-funding-gained/ 
• https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/03/GSMA_State-of-the-Industry-Report-on-Mobile-Money-2021_Full-report.pdf 
• https://www.idc.com/getdoc.jsp?containerId=META48126221
• https://qz.com/africa/2109686/airtel-money-africa-ceo-vimal-kumar-explains-mobile-money-spin-off/

The post A promising future for mobile money: Investment spike, separate entities, and confident regulators appeared first on Evina.

A DCB market facing “healthy issues”

This type of market condition is the ideal situation. Here, fraud is no longer unmanageable because the mobile players in the ecosystem have found the right tools to keep fraud at bay. The trust between players is strong enough to continue to make payments through the carrier billing channel.  

The most common challenge facing mobile operators and merchants is learning how to manage the strong growth of user purchases through  DCB. Oftentimes, this surge in growth brings along an increase of issues related to user awareness regarding their purchases. Landing pages must follow a clear deontological chart to make the entire purchasing experience clear to the user, with no misleading buttons and information. User complaints are the most frequent issue encountered in healthy DCB markets.

To manage user complaints, Evina offers a simple brand safety solution to track flows of traffic and determine the level of compliance of ad placements. The solution makes it easy to identify content providers that generate fraudulent traffic, hence that are the source that generates user complaints. Evina Eyewitness is the other solution that is tailor-made for this situation, as the first solution in the world able to record data-enriched videos of what users actually see and do on the payment page. It saves time and money in complaints management and helps all players to maintain trustful and transparent relationships. 

Dormant DCB markets that are ready to reflourish in 2022

When mobile players who offer DCB are not able to establish a solid level of trust among merchants, payment aggregators, mobile operators, and regulators, this payment method is quick to fail. The element of trust is disrupted by levels of unmanaged fraud, and unfortunately, it results in the suspension of direct carrier billing. We’ve seen this situation numerous times, here is the perfect example.

Sometimes, all it takes to reopen a DCB flow is partnering with one merchant that has proven to bring healthy traffic with low user complaint rates by working with the right anti-fraud partner. As the mobile operator realizes the potential of DCB payment flows, other partners will implement the anti-fraud solutions to protect and quickly install this quick and easy payment channel. 

In this case, mobile operators can suggest merchants implement the core anti-fraud solution to detect and help block fraud attempts, Evina DCBprotect. DCBprotect is powered by cutting-edge technology that detects 99,94% of fraudulent transactions, with a  0,06% false-positive rate and <100ms latency, assuring not only the best protection but also maximizing legitimate transactions and increasing DCB revenue.

DCB markets in critical fraud situations

Another situation we often see is markets where DCB is operational, yet heavily endangered by fraud attacks. Cybercriminals are hooked on these kinds of markets that haven’t adequately protected their mobile payment channels as they prey on the weakest links, with minimal to no anti-fraud protection. 

High levels of fraud compromise the trust between mobile operators and merchants, and jeopardize the existence of DCB. In fact, we have dealt with situations where mobile operators have resorted to shutting down DCB altogether, thinking there was no other way.  

The solution here is to start protecting DCB as quickly as possible with the most effective anti-fraud solutions, starting with Evina DCBprotect. In addition to the core solution, players can implement the aforementioned solutions Evina Eyewitness and brand safety, to meet specific needs and reduce user complaints, after solving the heart of the problem. 

The post How to ensure the strongest DCB development in 2022 depending on the condition of your DCB market appeared first on Evina.

They work in exactly the same way. Their objective is to steal mobile users’ Facebook login credentials and data.

These apps require users to log in to their Facebook account to allow them to access the app’s content and, therefore, collect the credentials.

Below is one of the apps that featured malware, and was downloaded over +500K times.

How it works

To steal login credentials, the malware launches a webview and runs a javascript command to retrieve the values typed by the user.

The next step is to use the API graph to get the account information.

The interesting malware feature

The malware is interested in the advertising campaigns that mobile users might have launched, and it’s also interested in the credit card they have registered to do so.  

This allows the malware to create its own advertising campaigns with the mobile user’s account, and thus their credit card.

Here is a list of other identified malware-infected apps – in the top new apps of the Play Store:

https://play.google.com/store/apps/details?id=com.cutestudio.neonphotoeffect&gl=FR

https://play.google.com/store/apps/details?id=com.meicalhowell.motion.pixmotion…

https://play.google.com/store/apps/details?id=com.Blodwen.Gower.photoeditlab…

Note: At the moment, most of these apps have been deleted.

Credits: Maxime Ingrao

To never miss a cybersecurity update, subscribe to our newsletter.

The post The return of the Facebook thieves appeared first on Evina.

We had Google shut down those applications. Evina managed to successfully reverse-engineer the malware which enabled us to protect end users against it. This is critical for our customers:

Brigitte De Ducla, Orange France

“We have successful results with Evina; in addition to providing us with premium protection on our carrier billing, they also help us create a safer customer journey, therefore preserving the global experience of our clients”.

Here’s how they steal your Facebook

When an application is launched on your phone, the malware queries the application name. If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time. The browser is displayed in the foreground which makes you think that the application launched it. When you enter your credentials into this browser, the malware executes java script to retrieve them. The malware then sends your account information to a server.

Lionel Ferri, Evina CTO: “It’s a fraudulent technique that points out the danger and reflects how important it is to protect yourself. It cannot be identified by Facebook as the malware displays in front of the legit app when it is launched”.

Why are you always targeted? Because everyone is targeted.

Internet-based fraud has become so pervasive that sometimes it seems as if everyone you meet has, at some point or another, been a victim of digital fraud. Often when one is targeted by online fraudsters, the first reaction is ‘why me?’.

Rest assured that we are all in the same boat and while it is normal for the victim to think they have been specifically targeted, we are all targets. Furthermore, we must highlight that victims should never be blamed for the criminal actions of others.

Fraudsters are everywhere and they are not confined to the DCB sector. They lurk in every nook and cranny of the web and it is the job of experts like Evina to flush them out. Our clients are very helpful in this regard. They regularly provide us with valuable information that helps us lift the lid on what you could call the “digital fraud of the day”.

In conclusion, keep in mind once that the victims are not the culprits: the app developer, the app store and all other legitimate players involved are simply innocent victims of fraudsters and their malware.

The post They steal your Facebook appeared first on Evina.

All Evina customers: mobile operators, payment gateways and content editors are protected from MobOk and in doing so, so are all their customers.

How does it work? MobOk collects information that is useful for its fraudulent activities such as the relevant operator details and mobile device screen size. It then launches an invisible browser that aims to subscribe the user to premium-rate mobile services using the applicable billing operator.

MobOk will ask for permission to read notifications and this is how the malware is able to retrieve the content of SMS messages. Consumers have to accept permissions manually.

There are several indications that this type of fraud initiated in Germany. First of all, the majority of negative comments are in German, furthermore the application communicates with the ium2.de domain and finally we have received attacks on German IPs. Other cases concern Asia, especially Thailand and Malaysia.

DETECTION

Evina has created a honeypot that uses a network of 3G proxy SIM cards around the world to attract fraudulent activity. When we use SIMs in Germany, we have seen fraudulent subscriptions as a result of the MobOk application.

MOBOK GENERATIONS

The malware family has evolved a way to load its fraudulent code to avoid detection by the Play Store.

First generation

In the beginning, the malicious code was located directly in the application with only a simple obfuscation.

Second generation

In the second generation of MobOk, the malware had an encrypted DEX file in the Assets folder that contained all the malicious code. The decrypted function was directly in the code.

Third generation

Finally, MobOk uses the Bangcle packer, to hide all the files from the library and also has significant anti-reverse engineering protection.

FRAUD SCENARIO

During the attack, MobOk sends information from the affected phone to a C&C (Command and Control) server whose domain is: ium2.de. The send request is encrypted by the application.

The server in response provides MobOk with the URLs and Javascript to execute in order to achieve this fraud. The response is also encrypted.

Then, MobOk turns off the WiFi to connect to the mobile network where it will be able to charge for the premium service.

Finally, the malware launches an invisible browser where it browses the URLs it has received and executes Javascript commands.

SUMMARY

MobOk is a family of malware that is constantly evolving to remain undetected by the Google Play Store. In its latest generation, and according to our sources, none of the malware in the family has been detected. It is quite likely that MobOk will spread to many other countries and, given the code, that it will extend its fraudulent activities.

HOW TO PROTECT YOURSELF?

If you are an end-user, it is necessary to be careful with the applications you download. To limit the risk, we advise you:

• To check the comments on the application page
• To check the permissions (a wallpaper app does not need to have any specific phone permissions)
• Avoid flashlight, scanner, wallpaper, SMS applications

If you are a service provider, such as a mobile carrier, payment gateway or content editor, you must use an independent anti-fraud solution expert in payment and mobile cybersecurity. 

Evina guarantees end-users safety and ensures a sustainable growth of the German mobile payment market, collaborating with local carriers such as Mobilcom-Debitel and T-Mobile.

APPS

The post Evina protects end users from MobOk: an incessantly mutating malware family in Germany appeared first on Evina.

Google reCaptcha is the CAPTCHA solution offered by Google, which we have all already seen before:

Google recently created a third version, and it doesn’t work better. 

1- Google reCAPTCHA exposes end users to fraud

Since 2012, hacking Google reCAPTCHA has become a national sport: 

• https://arstechnica.com/information-technology/2012/05/google-recaptcha-brought-to-its-knees/
• https://threatpost.com/google-recaptcha-bypass-technique-uses-googles-own-tools/124006/
• https://www.wired.co.uk/article/google-captcha-recaptcha 

On the dark web, fraudsters resell kits to bypass Google reCAPTCHA industrially. On the web, it costs 1,5$ per 1000 Google reCAPTCHA hacked: https://anti-captcha.com/mainpage

Abdelaziz Khaled, Cyber Security Analyst at EVINA: “These tools are easy to download and set up. We find them everywhere. When we reverse-engineer a malware, as we did with MOBOK Malware, it involves a part of coding dedicated to bypassing Google reCAPTCHA” (picture below).

2- It prevents customers from purchasing what they want

Indeed, Google reCAPTCHA v3 generates false positives.

Wesley Hendriks, Head of Data Team at Sam Media: “We have tested Google reCAPTCHA v3 and compared the results with other anti-fraud solutions.  We noticed that around 50% of legitimate traffic, according to other anti-fraud solutions, received the lowest scores – ’10’ or ‘30’-  from Google reCAPTCHA V3.”

Since the product is free, Google offers very little support and understanding of the data collected. Google provides clients with a score between 0.0 and 1.0 for them to determine which transaction to block. Yet support and thorough analysis are key to fight fraud the right way.

Fabienne Huygens, Product Owner at CM.com: “When it comes to an anti-fraud solution, support is essential. The team at Evina is proactive and supports our teams on a daily basis to fight against fraud.”

Franck Semanne, Head of Carrier Billing at Bouygues Telecom: “In terms of anti-fraud solutions, we can’t rely on an average score to let us decide what we consider as a fraud. An anti-fraud solution must detect and precisely define a fraudulent attempt, and this is what we appreciate with Evina.”

Our team is at your disposal to provide you with effective tools to combat fraud, and to help your partners understand that Google reCAPTCHA is not an optimal anti-fraud solution.

The post Google Recaptcha is not an anti-fraud solution. appeared first on Evina.

Our customers are safe from this malware thanks to Evina’s protection. 

In order to charge for services the Troll SDK disables the WIFI, which draw user’s attention and bring them to give a bad rate on Google Play Store. To get around the problem, bots located in Thailand raise the average rating posting numerous 5-stars comments.

It seems the fraud is global with comments in Asia (Indian and Thai). Regarding Europe, the app is well-ranked in Austria, Italy and Spain.

FUNCTIONALITY

After installation, the Troll SDK waits several launches of the app before being executed and sending information to register to the Command & Control server hihotdog.com.

In return, the server responds with parameters including the phone_id which is used to query the server that will retrieve fraudulent offers. We also find information to execute the frauds like the time interval between each fraud.

Then, the Troll SDK executes the function doBiz, and next it queries the server to retrieve the fraudulent offers and disables the WIFI to go to the operator’s network.

Finally, the Troll SDK executes the urls and javascript contained in the server response.

It is common to find offended code or fraudulent files that are downloaded after installation in frauds to fool users. But this new fraudulent SDK does not hide, it uses a rather explicit name “Troll” and method names like “doBiz” …

It is surprising to see that the application has not been removed yet while there is no will to hide the fraud, especially since it has been installed a million times.

It is therefore necessary to be careful with the applications you download, to limit the risk we advise you:

To check the comments on the application page

To check the permissions (a wallpaper app don’t need to have phone permissions)

Avoid flashlight, scanner, wallpaper applications

We have reported the concerned apps to Google. 

The post Ad fraud: a troll lives in a one million install game appeared first on Evina.

Users complaint on the app Play Store page: content was disappointing, and some users have been subscribed to paid services without their consent. We also were able to confirm that EVINA DCBprotect blocked this malware since its very beginning. Companies protected by our solution have not been impacted by this fraud.

Since last weekend the application is ranked in the top free applications in France, Germany, Italy, Spain and in the Netherlands.

“Stars Wallpapers” has been downloaded more than 100,000 times in three days between January 2nd and January 5th.

How did we find it?

Evina uses its own global proxies network to catch frauds. We noticed an unusual behavior of few of them (data consumption higher than expected, bill invoiced for premium service). When noticing this kind of behavior, we dug on history and found where it came from: an application called “Stars Wallpapers.”

During the application’s analysis, we spotted that a piece of code of the application was missing even though it was declared.

We quickly realized that a library inside the application loads the fraudulent code. It creates two encrypted Dex files and deletes one of them as soon as it has been created and then loads it into the memory.

This method prevents detection by Google Play Store because the malicious code is not directly in the application.

First of all, the malware creates an invisible window to track the user’s behavior and trigger the fraud at the right time.

During this time, the application receives and writes instructions in streaming with a server on the faymobi.com domain on port 9091 (which helps to hide these exchanges).

Fraud instructions are stored in the application’s shared preferences. It contains encrypted information about the javascript actions to execute but also the information whether you have to send a sms or if you have to pass a captcha during the journey.

It also includes the time interval between each attack and the maximum number of attacks per day.

At the right time, the malware disables the wifi to be on the mobile network and launches an invisible browser, it executes all the actions of the file in the shared_prefs which thus subscribes to a premium service.

It is common to say that malware hides in unofficial store or is not very visible and contains suspicious permissions.

That’s why Stars Wallpapers is dangerous because it doesn’t ask for any suspicious permissions, the content of the application looks professional and above all it is very well-ranked on Google Play Store.

Fortunately, victims of this malware were able to comment or rate this application to warn of its dangerousness, which stopped its number of installations but not its ranking.

It is therefore necessary to be careful with the applications you download, to limit the risk we advise you:

To check the comments on the application page

To check the permissions (a wallpaper app don’t need to have phone permissions)

The post Malware rises to the top applications in the Google Play store appeared first on Evina.

Evina has been tracking a new ad and subscription bot family on Google Play. It is a new malware family that targets carrier billing and advertising. This type of fraud is becoming more and more widespread and is now able to bypass Google’s detection system.

The malware — going by the name Venus (the class name which executes the fraud) — simulates the interaction with ads and subscribes the user to premium services without him being aware. The browser is fully invisible during the on-going fraud.

The Venus malware has been attacking since late October and has reached the following countries: Belgium, France, Germany, Guinea, Morocco, Netherlands, Poland, Portugal, Senegal, Spain, and Tunisia.

The application uses the libjiagu library created by the Chinese company Qihoo. The library protects the application’s content and runs protections against reverse engineering. Unfortunately, fraudsters take advantage of the library and use it for mischevious purposes.

Yet, we were able to recover the DEX file (compiled Android file) containing the fraudulent code. The file was imported and decrypted in memory, after the anti-reverse check, in order to bypass Google’s detection.

Venus is waiting for the right time to attack. The malware is able to register the time that has passed after the application has been downloaded instead of launching on the day of the download.

At the time of the attack, Venus interrogates a C&C (Command and Control) server whose domain is: glarecube.com. The sent request is encrypted by the application as well as the response.

If we decrypt – which we did – the server’s response, we can see two things: 

    1) All the instructions containing URLs that redirect to premium services or websites containing ads, are all created by the fraudster

     2) The javascript commands are what make the process fraudulent

So, what happens in actual facts? 

The URL is loaded into an invisible browser – or several – without the application even running. The user does not know what’s going on and is billed through its carrier afterward. Undetected, the fraudster can make its profit from advertisement clicks and premium service subscriptions.

Nothing suspicious at first sight… But the Venus malware executed two browsers!

Today, out of the eight uncovered Venus malware apps, only one application has been removed from the Play Store and this was done only after being downloaded more than 100,000 times. Last month, Evina also caught 304 Joker applications, some of which are still on the Play Store. All of our customers have been protected from and warned about these new trojan families and we recommend all phone owners: 

• To check the comments on the application page
• To check the permissions (a wallpaper app doesn’t need to have phone permissions)
• To avoid flashlight, scanner, wallpaper applications

The post Evina’s cybersecurity analysts found a new trojan family on Google play store. appeared first on Evina.

Joker is a malware. A malicious app that makes purchases through carrier billing.

Which apps does Joker infect ?

The Joker malware infects numerous malicious apps. Most of them are utility apps, image filter apps, wallpaper apps, and also anti-virus apps.

What type of malware is Joker?

Joker is a classic-type malware, it is executed locally after having been downloaded on the Google Play Store. 

If it is a classic malware, why is everyone speaking about it? 

Well, it’s a very comprehensive malware. It knows how to read and write SMS messages, and how to steal information and contact lists from users. It targets specific and numerous countries at once. The Joker malware is the perfect representation of fraud on apps.

Were there any victims among Evina’s clients?

No. While several anti-fraud solutions are based on a blacklist, Evina DCBprotect is different. We don’t rely on a list of malicious apps, we detect fraud types and block fraud mechanisms. In other words, we search for fraud’s DNA. Evina detected and blocked 5M+ payment attempts/transactions labeled as the Joker virus, and our clients have been informed right away.

How is it possible to have malicious apps displayed in the Google Play Store? 

There are several techniques… when it comes to the Joker malware, the fraudulent code is downloaded on a server, then written after the app launches, so when Google Play receives the app and checks it, the fraudulent code doesn’t show. 

So, how did Evina DCBprotect detect it? 

The mechanism used by Joker had been identified in other malware through our mobile honeypot. Our honeypot mobile is a system that constantly installs malicious applications, decompiles and analyzes them to give us behavioral patterns to identify and block.

What is worth knowing about this malware? 

First of all, the malware makes the web page invisible to the victims and clicks on the purchase button without victims being aware. In order to hide the attack, the malware modifies the x-requested-with header. Last but not least, the app grabs phone numbers and compares them to a suspect numbers database created by the fraudster to assess whether to attack.

A final word?

Joker is the buzz of the moment, but there have been and there still are a lot more harmful and sophisticated malware targeting carrier billing. We are experts in carrier billing and 100% anti-fraud focused. In the last 24 hours, we’ve protected our clients from 91 358 fraudulent transactions.

Who is Maxime INGRAO?

Security Analyst at Evina, Maxime leads the malware research, reverse engineering and security web conception. Passionate of hacking, Maxime decided from a young age to focus on cybersecurity. As a teenager, he created a community website gathering 1500+ members around cybersecurity. He started his professional path in web development before fully working in cybersecurity.

The post Joker malware: What you need to know appeared first on Evina.